Microsoft® Office 2007 Training
Security II: Turn off the Message Bar and run code safely
John Deere presents:
Security II: Turn off the Message Bar and run code safely
Who is this course for?• Developers of code (macros) for use at Deere
• Users of that code
• We’re assuming you already know how to create and/or run macros.
Security II: Turn off the Message Bar and run code safely
Course Goals• Understand how Office 2007 protects users from
potentially malicious code
• Developers will know how to obtain a Code Signing Certificate at Deere and how to add the digital signature to their work
• Users learn how to add a digital certificate to their list of trusted publishers
Lesson
Developers: Getting a Digital Certificate at Deere
Security II: Turn off the Message Bar and run code safely
Run macros and other code safelyImagine you’ve created a macro — an automated set of instructions — for one of your Microsoft Office Word documents.
Your co-workers like using the file, but every time they run it they have to use the Message Bar and a security dialog box before the macro can run.
They’d love to just open the file without having to deal with the Message Bar and a security dialog box.
Security II: Turn off the Message Bar and run code safely
Overview: When a source is trustworthy
Whenever you open a file that contains code such as a macro, ActiveX control, or add-in, Office disables the code, and you have to use the Message Bar to enable the blocked content.
Why does Office do this? Because macros can be a source of malicious code.
Why turn off the Message Bar? Because you can save yourself and your co-workers a lot of time.
Security II: Turn off the Message Bar and run code safely
Getting a Digital Certificate at Deere
Who needs a digital certificate? Developers of applications and code that are used internal to the Deere network on computers in the JDNet domain.
Benefits for developers?A single digital certificate can be used to sign multiple projects. Your code can be ‘trusted.’
Where can the certificates be used? On all Microsoft operating systems (including Office products) and IE browsers in the JDNet domain.
Security II: Turn off the Message Bar and run code safely
Computer Security Policy Regarding Macros
Unsigned or untrusted code requires interaction
Macro security is set to medium in Office 2003 and Office 2007
Macro settings are enforced by group policy
Security II: Turn off the Message Bar and run code safely
How to request a Digital Certificate
Developers must be a member of their units’ G##_Code_Signing_Certs group which is in turn nested in L90_Code_Signing_Certs group.
Developers can request group membership by contacting the helpdesk and asking for membership in their unit’s code signing certificate group.
See the EDS KB article “How to Enroll for an Internal Code Signing Certificate” at http://edskb.deere.com for details.
Security II: Turn off the Message Bar and run code safely
II’s: Request a Unit Digital Certificate Group
If a unit does not have a code signing certificate group, one can be requested.
II’s put in a ticket for creation of G##_Code_Signing_Certs group which is in turn nested in L90_Code_Signing_Certs group. II’s should manage the group.
Again, see the EDS KB article “How to Enroll for an Internal Code Signing Certificate” at http://edskb.deere.com for details.
Security II: Turn off the Message Bar and run code safely
User benefits of Digital Certificates
A digital certificate can be ‘trusted’ by users (added to list of trusted publishers).
Once the publisher is trusted, the user will no longer be prompted for macros and automation signed by the certificate that they have chosen to trust.
In other words, trusting the publisher allows users to turn off the Message Bar and run code safely.
Lesson
Developers: How to sign your code with your digital certificate.
Security II: Turn off the Message Bar and run code safely
Is Developer Tab Available? 2
In Office 2007, you must be able to view the Developer tab on the ribbon to code or sign macros
1
2
Open the Office document that has the macro(s) you want to sign
Click the Office Button on the ribbon -- Excel Options – Show developer tab in Ribbon. Click OK.
3
3 Select Visual Basic Editor (or press ALT + F11).
2
Security II: Turn off the Message Bar and run code safely
Developers: How to Digitally Sign Code
2
In the Visual Basic Editor Window, Click Tools – Digital Signature. This will display the VBA project to be unsigned or signed by another certificate.
1
Click Choose if [No Certificate] is displayed. Otherwise click remove and select another certificate.
Find the certificate
1
2
Security II: Turn off the Message Bar and run code safely
Developers: How to Digitally Sign Code
2
If your user profile has been issued a Code Signing Certificate via AutoEnrollment, then will see a certificate named “Code Signing Certificate”. Select the certificate you want to use and click OK.
The Digital Signature screen shows that the VBA project has been signed.
3
1
Click OK. Close the Visual Basic Editor, save the file and close it. The macro is now signed. Repeat this process for each file with a macro to be signed.
1
2
Attaching the certificate
Questions
On Developer steps to sign a macro?
Security II: Turn off the Message Bar and run code safely
Myth Busting: Macro-style
Myth: Macros don’t work in Office 2007. Busted: Lots of users are missing the fact that they have to use the Message Bar to enable the blocked content.
Myth: Macro security is higher in Office 2007. Busted: It’s set to MEDIUM – the same as Office 2003.
DID YOU KNOW? You don’t have to enable macros to be able to see the content of a file that contains macros.
Lesson
Users: Run macros and other code safely
Security II: Turn off the Message Bar and run code safely
Trust a digital certificateYou “trust” a digital certificate by adding it to your list of trusted publishers.
It’s a straightforward process, but remember you don’t see the commands discussed here unless you open a file that contains signed code.
If a file contains unsigned code, you can enable it, but not trust it permanently, which means you’ll see the message bar every time you open the file.
Security II: Turn off the Message Bar and run code safely
Trust a digital certificateHow to “trust” a digital certificate.
1
2
When you open a file that contains code, the Message Bar displays a security warning, indicated by the shield on the left.
Click Options. That starts the Security Warning dialog box.
Security II: Turn off the Message Bar and run code safely
Trust a digital certificateYou “trust” a digital certificate by adding it to your list of trusted publishers.
3 If the code is signed, you can click Trust all documents from this publisher, and then click OK.
Questions
On user steps to trust a Digital Certificate?
Security II: Turn off the Message Bar and run code safely
Remove a digital certificateAs a rule, you should check your list of trusted publishers regularly, and remove any invalid certificates.
Certificates that come from large corporations, such as Verisign, are updated automatically and you almost never need to remove them.
However, self certificates do expire. They can also become invalid for a variety of reasons, such as when someone tampers with a macro.
Security II: Turn off the Message Bar and run code safely
Remove a digital certificateSo it’s a good idea to keep your list of trusted publishers up to date.
1
2
Click the Microsoft Office button, and then click the program’s Options button. For example, if you’re working in Word, click Word Options.
Click Trust Center, and then click Trust Center Settings.
Security II: Turn off the Message Bar and run code safely
Remove a digital certificateSo it’s a good idea to keep your list of trusted publishers up to date.
3 Click Trusted Publishers, click the certificate you want to remove, and then click Remove.
Security II: Turn off the Message Bar and run code safely
Self Certificates: Not Recommended
Self certificates aren’t valid for your co-workers or other users because they haven’t been authenticated by a certificate authority, and therefore are not recommended for use at Deere.
End of Presentation
Top Related